Madirish Tutorial 08
C:\>ping whitepower.com
Pinging whitepower.com [64.39.238.134] with 32 bytes of data:
Reply from 64.39.238.134: bytes=32 time=71ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240
Ping statistics for 64.39.238.134:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 71ms, Average = 70ms
C:\>
Next we need to figure out who owns or runs the box, and where it is physically located. This information may be useful for social engeneering, password guessing, or just to find out if the law will come looking for you when you knock on this box's door. I used ARIN's whois lookup first, to find out who hosts the service, here are the results:
Arin Search Results:
World Internet Services (NET-HISPEED-2)
330 Rancheros Drive Suite #108
San Marcos, CA 92069
US
Netname: HISPEED-2
Netblock: 64.39.224.0 - 64.39.239.255
Coordinator:
Baker, Jasen (JB770-ARIN) jasenb@hispeed.com
760-761-0495 (FAX) 760-744-3778
Domain System inverse mapping provided by:
NS1.HISPEED.NET 209.145.61.253
NS2.HISPEED.NET 209.145.61.254
Record last updated on 21-Jul-2000.
Database last updated on 27-Mar-2001 22:52:10 EDT.
Next I used a Network Solutions whois lookup to find out exactly who registered the domain, mostly for reasons mentioned above, here's what we find:
Network Solutions Search Results:
Registrant:
whitepower.com (WHITEPOWER6-DOM)
Micetrap Distribution Post Office
Box 8813
Turnersville, NJ 08012
US
Domain Name: WHITEPOWER.COM
Administrative Contact, Technical Contact, Billing Contact:
Micetrap, James (ISD16) micetrap14@AOL.COM
Micetrap Distribution
Post Office Box 55
Maple Shade, NJ 08052
US
609-451-9314 609-451-9314
Record last updated on 25-Jan-2001.
Record expires on 03-Apr-2004.
Record created on 03-Apr-1999.
Database last updated on 27-Mar-2001 23:15:00 EST.
Domain servers in listed order:
NS1.AFFORDABLE-SPACE.COM 209.145.62.111
NS2.AFFORDABLE-SPACE.COM 64.39.238.137
Now comes the interesting part. I switched over to my linux box and ran a quick NMAP scan of the box, tons of juicy info in here:
Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on (64.39.238.134):
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop-3
143/tcp open imap2
444/tcp open snpp
617/tcp open unknown
1414/tcp open ibm-mqseries
1488/tcp open docstor
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=5661830 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
So there are a whole lot of entry points to this domain. We could potentially exploit any of the services we see running. Of course it would be easier to do this if we knew which version and program was offering the services. You can find this out simply by telnetting to the well known ports and seeing what you find. I like to try out some basic accounts and 'expn' the root account on an SMTP server to see if it will give up any goods. Unfortunately this server doesn't allow expn (which shows the members of groups that recieve mail. 'expn users' would show recipients of mail to 'users@whitepower.com'. root, postmaster, mail, and users are all good groups to check out if you can.). Unfortunately the finger daemon isn't running or we'd 'finger 0@whitepower.com' to get a list of all user accounts if that function hadn't been disabled. Here's my results:
C:\>telnet 64.39.238.134 Cobalt Linux release 5.0 (Pacifica) Kernel 2.2.14C10 on an i586 C:\>telnet 64.39.238.134 25 220 www.affordable-space.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Mar 2001 11:28: 28 -0500 helo affordable 250 www.affordable-space.com Hello [216.25.200.135], pleased to meet you expn root 502 Sorry, we do not allow this operation quit 221 www.affordable-space.com closing connection FTP: C:\>ftp 64.39.238.134 Connected to 64.39.238.134. 220 ProFTPD 1.2.0rc3 Server (ProFTPD) [64.39.238.134] User (64.39.238.134:(none)):
Its also a good idea to check and see if annonymous FTP is enabled. If it is you can list 'annonymous' as your username and an e-mail address (such as 'foo@hotmail.com') as your password.
Lastly I want to check to find out what the gateway computer to this target is. To do this all we have to do is run a traceroute:
C:\>tracert 64.39.238.134 Tracing route to 64.39.238.134 over a maximum of 30 hops 2 10 ms 20 ms 10 ms atm4-0-0.red-devil.dca.fcc.net [216.25.192.1] 3 >10 ms 10 ms 10 ms 209.249.187.229.fcc.net [209.249.187.229] 4 >10 ms 10 ms 10 ms main1-main2-ge.iad1.above.net [209.249.187.226] 5 >10 ms 10 ms 10 ms core4-main1-oc48.iad1.above.net [208.185.0.153] 6 >10 ms 10 ms 10 ms core1-iad1-oc48.iad2.above.net [209.249.0.214] 7 >10 ms 10 ms 10 ms level3-above-oc12.iad2.above.net [209.249.0.174] 8 >10 ms 10 ms 10 ms so-4-1-0.mp2.Washington1.level3.net [209.247.10. 77] 9 70 ms 70 ms 70 ms loopback0.hsipaccess2.SanDiego1.Level3.net [209. 244.2.81] 10 70 ms 70 ms 70 ms 63.210.174.38 11 70 ms 70 ms 80 ms 64.39.238.134 Trace complete. C:\>
Using the traceroute we see that the gateway is 63.210.174.38. This is the computer that filters all information sent to and from the target web host. This could be a simple router, or it could be a firewall (doubtful in this case since the target gave up the goods really easily). In order to make a full scan, we should repeat the above steps on the gateway and see if we can find any other useful information about the target, gateway, or network.
So, as you can see we can find out a lot of useful information about a target remotely. From here we can investigate exploits for services running or simply try to brute force password guess the services.